CVE-2025-66131 is a critical security vulnerability identified in the Yaad Sarig Payment Gateway plugin for WooCommerce (WC), affecting versions up to and including 2.2.10. The core issue is a missing authorization control that allows unauthenticated attackers to bypass access restrictions and perform unauthorized actions within the payment gateway. This vulnerability stems from incorrectly configured access control security levels, which fail to properly verify the identity or permissions of the requester before granting access to sensitive functions or data. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting its critical nature, with an attack vector over the network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and impacts on confidentiality and integrity (C:H/I:H) but not availability (A:N). Exploitation could lead to unauthorized access to payment processing functions, exposure of sensitive payment data, or manipulation of transaction details, potentially resulting in financial fraud or data breaches. Although no known exploits have been reported in the wild yet, the ease of exploitation and the critical impact make this a high-risk vulnerability. The plugin is used primarily in WooCommerce-based e-commerce sites, which are widely adopted across Europe, especially in countries with mature online retail sectors. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps. The vulnerability was reserved in late November 2025 and published in mid-December 2025, indicating recent discovery and disclosure.

For European organizations, especially e-commerce businesses using WooCommerce with the Yaad Sarig Payment Gateway, this vulnerability poses a significant risk. Exploitation can lead to unauthorized access to payment processing functions, resulting in potential financial fraud, theft of sensitive customer payment information, and loss of customer trust. The confidentiality and integrity of payment transactions can be compromised, leading to regulatory compliance issues under GDPR and financial regulations. The absence of required authentication lowers the barrier for attackers, increasing the likelihood of exploitation. This can disrupt business operations, cause reputational damage, and incur financial penalties. Given the widespread use of WooCommerce in Europe, particularly in countries with large e-commerce markets, the threat could affect a broad range of retailers, from small businesses to large enterprises. The lack of availability impact means service disruption is less likely, but data and transactional integrity risks remain critical.

Organizations should immediately audit their WooCommerce installations to determine if the Yaad Sarig Payment Gateway plugin is in use and verify the version. Until an official patch is released, consider disabling the plugin or replacing it with an alternative payment gateway that has verified security controls. Implement strict network-level access controls to restrict access to the payment gateway endpoints, such as IP whitelisting or VPN requirements. Monitor logs for unusual or unauthorized access attempts targeting the payment gateway. Conduct a thorough review of access control configurations within the WooCommerce environment to ensure no other plugins or components have similar authorization weaknesses. Engage with the plugin vendor or security community to obtain updates on patch availability and apply them promptly once released. Additionally, implement multi-factor authentication for administrative access to the e-commerce platform to reduce the risk of privilege escalation. Finally, educate staff and customers about potential phishing or social engineering attacks that could leverage this vulnerability.